0

I use ProxyCommand with the intention of avoiding ssh agent forwarding. Today I noticed that Gnome was starting ssh-agent, which I'm trying to avoid using so I disabled it. I'd like to not have the agent running so I can't accidentally start forwarding it if I'm ever careless with setup/config of the ssh client. I'm a consultant and one of the very worst nightmares is that someone co-opt my credentials to do bad things, making it look like I did bad things and costs me business or even causes me to get sued. The present case where I hit this problem is configured as show below. I've determined that it's not even the ProxyCommand that is requiring ssh-agent. Below is the anonymized bastion config from my ~/.ssh/config (actually its included from a customer specific directory ~/clients/foo/secrets/ but this all worked previously so there should be no problem there)

Host bastion
   HostName xxx.xxx.xxx.70
   User ubuntu
   IdentityFile ~/clients/foo/secrets/bastion.key
   IdentitiesOnly yes
   ForwardAgent no

When I do

ssh bastion -vvv

It stalls out at:

debug1: Found key in /home/gus/.ssh/known_hosts:67
debug3: send packet: type 21
debug2: set_newkeys: mode 1
debug1: rekey after 134217728 blocks
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug3: receive packet: type 21
debug1: SSH2_MSG_NEWKEYS received
debug2: set_newkeys: mode 0
debug1: rekey after 134217728 blocks

This post on Ask Different identifies that as a "waiting for agent" problem. I'm on Ubuntu 18.04, but I assume the same error messages indicate the same problem regardless. Unfortunately, that answer focuses on fixing/enabling the agent, and I want to run without it so it can't ever get forwarded and subsequently abused.

How do I convince ssh to use the key from the config and not ask the agent for keys. Note that this connection worked fine before I killed the ssh-agent and removed it from Gnome startup. And the only thing I have added since (to no apparent effect) is the ForwardAgent line. Note that I've logged out and logged back in to ensure that there's no issue with a zombie process that came from killing the agent initially and verified that the only process running with ssh in the name is sshd (which is expected and should be unrelated).

For reference the next hop will look like this:

Host target
   HostName xxx.xxx.xxx.152
   user ubuntu
   IdentityFile ~/clients/foo/secrets/target.key
   IdentitiesOnly yes
   ForwardAgent no
   ProxyCommand ssh -W %h:%p bastion

And previously that was working fine too such that ssh target asked me for successive pass-phrases for each machine and then logged me into target.

EDIT: starting ssh-agent does let me in again but that's not what I'm looking for. The failed attempts leave only Connection closed by xxx.xxx.xxx.xxx port YYYY [preauth] in auth.log.

Gus
  • 127
  • 2
  • 11
  • does it work if you do `ssh -a ubuntu@bastion -i ~/clients/foo/secrets/bastion.key`? -Also, what does the log on the bastion-host say when you connect? – Sturban Jan 18 '21 at 21:10
  • @Sturban that produces identical results, both with and without agent started. Edited to add details regarding logs on the server (not much). – Gus Jan 18 '21 at 22:33

1 Answers1

0

https://man.openbsd.org/ssh_config#IdentityAgent or man [5] ssh_config on your system

IdentityAgent
Specifies the UNIX-domain socket used to communicate with the authentication agent.
... Setting the socket name to none disables the use of an authentication agent. ....

dave_thompson_085
  • 3,100
  • 1
  • 15
  • 14